+ Post New Thread
Results 1 to 14 of 14
Internet Related/Filtering/Firewall Thread, OpenDNS - thoughts? in Technical; Hey all, I'm trying to get opinions on using OpenDNS ( OpenDNS | Providing A Safer And Faster Internet ) ...
  1. #1

    Join Date
    Jun 2008
    Posts
    105
    Thank Post
    33
    Thanked 3 Times in 3 Posts
    Rep Power
    13

    Question OpenDNS - thoughts?

    Hey all,

    I'm trying to get opinions on using OpenDNS (OpenDNS | Providing A Safer And Faster Internet) to filter web content for K-12 schools. I've tested it in a small sample and it seems decent, so long as we can prevent users from changing DNS settings.

    Pros:
    Saves our district ~ $7,000 USD a year for filtering license
    Uses a category database that another pay-for product uses (I want to say it's the iGuard database that the iPrism uses, but I've looked at some many recently I could be wrong).
    Allows for black/white list URL's similar to our currently filtering (Fortinet)

    Cons:
    Generally untested
    Doesn't provide deep packet inspection and dynamic proxy blocking like other pay-for sources (DeepNines as an example)

    If anyone's using this, I'd love their take on it. We're converting from a Novell network to Microsoft and expect to use group policy to prevent changes to DNS - if anyone knows why that won't work, please give me a shout, too. (I'm new to GP but am learning quickly).

    Hope everyone's doing well. Thanks as always.

    Damian Bailey
    Lead Tech
    Louisa County Schools, VA, USA

  2. #2
    Galway's Avatar
    Join Date
    Jun 2007
    Location
    West Yorkshire
    Posts
    1,302
    Thank Post
    9
    Thanked 300 Times in 209 Posts
    Rep Power
    99
    I use it at home on my router, its got the updater that tracks the IP and so I find it a dream to use.
    Clamp down the DNS settings via group policy and you should be sorted.

    The options allow tracking what URL's are visited and you can blacklist or whitelist sites easily.
    Not really sure why our authority have not used it, since I fond it quite fast in use, but I guess it would do the IT guys out of a job or they prefer to have complete control over the filtering.

  3. #3

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    It's very good considering it's free. I use it just as my DNS at home. I don't use the available filtering options (which just requires you to create an account).

    It would be perfect if it was made impossible to enter numbers (IP addresses) into the address bar in Internet Explorer. This may be possible by creating a custom plugin, or something along those lines; however if it was, I would be surprised why it hasn't already been done.

  4. #4

    Join Date
    Jun 2008
    Posts
    105
    Thank Post
    33
    Thanked 3 Times in 3 Posts
    Rep Power
    13

    Exclamation

    Quote Originally Posted by Michael View Post
    It's very good considering it's free. I use it just as my DNS at home. I don't use the available filtering options (which just requires you to create an account).

    It would be perfect if it was made impossible to enter numbers (IP addresses) into the address bar in Internet Explorer. This may be possible by creating a custom plugin, or something along those lines; however if it was, I would be surprised why it hasn't already been done.
    Galway: My boss will be excited that it will track the IP address used to log sites. We pay extra for a tracking software that we may also not need with that. ...now if it would just map with AD (not likely as it's outside our network, technically

    Michael: Just so I'm following you, OpenDNS will allow IP addresses into the address bar, but does it still block those IP's of sites that are in its blacklist or "bad" category lists? Or is entering IP address of sites a workaround to its filtering? (Seems like a large hole, but something good to know).

    I'll also change over my DNS settings here on my laptop and test it as well..but just curious if you've already done the same.

  5. #5

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    This is the main problem with DNS filtering. DNS converts web addresses we as humans type into IP addresses and retrieves the website you've requested.

    Typing an IP address directly into Internet Explorer bypasses the need for DNS, so the page is retrieved automatically. So in theory, a pupil could work out the IP for an adult website and enter it within school. Open DNS wouldn't filter this and pupils would be required to have lists of IPs instead of web addresses.

  6. Thanks to Michael from:

    LCPSWolf (22nd April 2009)

  7. #6

    Join Date
    Jun 2008
    Posts
    105
    Thank Post
    33
    Thanked 3 Times in 3 Posts
    Rep Power
    13
    Michael,
    What a great point (and a polite explanation of DNS . I'll research a way to block this - it now makes sense some of the help documentation I've seen on our Fortigate box that has a wildcard mask for blocking IP addresses of this type.

    Awesome. I'll let you know what I come up with.

  8. #7

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by LCPSWolf View Post
    Pros:
    Saves our district ~ $7,000 USD a year for filtering license
    No, it doesn't. DNS filtering is all or nothing for a given domain (example.com), so you can't differentiate between example.com/goodstuff and example.com/badstuff.

    You still need an URL- or content-based filter in place.

  9. #8

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,377
    Thank Post
    368
    Thanked 637 Times in 519 Posts
    Rep Power
    158
    Seems a bit.... well... how is it funded? Bit too good to be true.

  10. #9

    Join Date
    Jun 2008
    Posts
    105
    Thank Post
    33
    Thanked 3 Times in 3 Posts
    Rep Power
    13
    Quote Originally Posted by powdarrmonkey View Post
    No, it doesn't. DNS filtering is all or nothing for a given domain (example.com), so you can't differentiate between example.com/goodstuff and example.com/badstuff.

    You still need an URL- or content-based filter in place.
    Good point. We typically are blocking total domains, but there may be cases we want to only block a portion....hmm. Have to wonder if that's worth it.

    Thanks.

  11. #10

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by LCPSWolf View Post
    Have to wonder if that's worth it.
    It's worth it as part of your arsenal, just don't throw out the gun cupboard for a mouse trap.

  12. #11

    Join Date
    Jun 2008
    Posts
    105
    Thank Post
    33
    Thanked 3 Times in 3 Posts
    Rep Power
    13
    I love that analogy!

    Going back to the not blocking by IP, I just changed by DNS settings on my laptop to OpenDNS servers (208.67.222.222 and 208.67.220.220) and attempted to browse to 208.69.32.130. (I'm running IE7, for what that's worth). It was blocked as a site not allowed on our network (gambling).

    I had not visited this site previously.

    Am I missing something or is this working better than expected?

    I just saw that OpenDNS uses St. Bernard's iGuard data for its category filtering.
    Last edited by LCPSWolf; 22nd April 2009 at 03:21 PM. Reason: updated filtering category source

  13. #12

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,621
    Thank Post
    49
    Thanked 451 Times in 334 Posts
    Rep Power
    137
    OpenDNS rocks and the reason it is disliked by many on this forum is because it make their expensive filtering systems look like the rip off they have become!

    Open DNS still filters IP addresses only.

    Yes, the lack of granular control can be an issue for some but in those sites we have worked around this with multiple gateways and configured proxies.

    What I like most about it is that as more people find ways to migrate to it and make it work for them the commercial products have to stop charging ridiculous rates for their services

    If you can save $000's of dollars this year when budgets are cut to the bone and your job is on the line why not.

    Hey, it's not going to cost you a penny to try it!

  14. #13

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,038
    Thank Post
    160
    Thanked 909 Times in 713 Posts
    Blog Entries
    3
    Rep Power
    270
    I use it at home, and yeah it's pretty good stuff! faster then waiting for virgin's DNS Records to update

    and best of all it's FREE well done to those guys

  15. #14

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    OpenDNS had a huge cash injection put into it, as they have DNS servers strategically positioned over most parts of the world. Not only does this speed things up, it also adds redundancy too. Rumour has it also that their DNS servers speed up access, but I believe this to be false.
    However, another advantage to its service is they're using DNS to block the sources of Conflicker. Again this is all free and no doubt they'll introduce other services based around DNS.

    As for making money, they are in partnership with Yahoo and generate $20,000 a day from viewing/clicking on adverts. A typical example is if you mis-typed a URL you'll be redirected to their customised Yahoo search. It's as simple as that.

SHARE:
+ Post New Thread

Similar Threads

  1. SCCM - Thoughts?
    By Crispin in forum O/S Deployment
    Replies: 20
    Last Post: 28th January 2010, 04:31 PM
  2. Any one use opendns? + Advice / Suggestions
    By chrisredfield93 in forum General Chat
    Replies: 17
    Last Post: 6th March 2009, 06:53 PM
  3. thoughts on edusweep
    By browolf in forum EduSweep
    Replies: 5
    Last Post: 25th February 2009, 01:03 PM
  4. Thoughts?
    By azrael78 in forum Windows Server 2008
    Replies: 0
    Last Post: 3rd July 2008, 07:46 PM
  5. Your thoughts on this?
    By tosca925 in forum Courses and Training
    Replies: 5
    Last Post: 28th January 2007, 11:43 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •